CVE-2022-42130 - Liferay Portal Dynamic Data Mapping Permission Flaw Exposed

In November 2022, a critical vulnerability was disclosed in Liferay Portal’s Dynamic Data Mapping (DDM) module, tracked as CVE-2022-42130. This flaw impacts a range of Liferay Portal versions, from 7.1. up through 7.4.3.4, as well as several versions of Liferay DXP. At its core, this security issue allows any user with basic authentication to access all form entries—across organizations and users—even when they lack the correct permissions.

Below, we’ll break down what this vulnerability means, how it works, peek at some code, and show you where to learn more or test it yourself.

What Is Liferay Portal and Dynamic Data Mapping?

Liferay Portal is a popular open-source enterprise portal, often used as a corporate intranet, public website builder, or digital experience platform. The Dynamic Data Mapping (DDM) module is Liferay’s toolset for building custom forms and data structures—think user surveys, feedback forms, or data intake workflows.

Who’s Affected?

* Liferay Portal: 7.1. through 7.4.3.4  
* Liferay DXP:

Description

The DDM module does *not* perform a proper check on users’ permissions before returning form entries. Any user with an account and access to the relevant API endpoints can fetch all form data—regardless of their role or what they should be allowed to see.

Translation:

A regular authenticated user can see sensitive submissions from other users or groups!

How Does It Happen? (Technical Details)

The permission flaw comes down to how the DDM REST APIs handle requests. For example, the endpoint /o/headless-form/v1./forms/{formId}/form-records is supposed to enforce permission checks, but does not fully validate the current user’s rights before returning results.

Let’s look at a simplified (pseudo-code) version of what the backend might have been doing

// This is a conceptual example, NOT actual Liferay source code

public List<FormEntry> getFormRecords(long formId, User user) {
    // Fetches all entries for given formId
    List<FormEntry> entries = formEntryService.fetchByFormId(formId);

    // Here’s where a permission check *should* have happened!
    // But the code returns ALL entries to any user who calls this.
    return entries;
}

The problem:

The permission check to ensure that user can see each FormEntry is missing.

Make a REST API call to fetch form entries, e.g.

curl -u regularuser:password \
  'https://your-liferay-site.com/o/headless-form/v1./forms/{formId}/form-records';

3. You get back *every* submission for that form, even those from other users or sensitive business flows.

Sample API Response (Redacted)

{
  "items": [
    {
      "id": 1,
      "creator": "admin",
      "fieldValues": {"ssn": "123-45-6789"},
      ...
    },
    {
      "id": 2,
      "creator": "regularuser2",
      "fieldValues": {"ssn": "987-65-4321"},
      ...
    }
  ],
  "totalCount": 2
}

Liferay Security Advisory:

https://liferay.dev/blogs/-/blogs/security-advisory-dynamic-data-mapping-form-permissions

NVD CVE Entry:

https://nvd.nist.gov/vuln/detail/CVE-2022-42130

GitHub Disclosure Example:

https://github.com/liferay/liferay-portal/blob/master/CHANGELOG.markdown

Conclusion

CVE-2022-42130 is a powerful reminder that permission checks are crucial for every single API layer. If you’re using Liferay DDM forms, this bug could mean your user data is already wide open. Patch ASAP, audit your instance, and regularly monitor Liferay’s security advisories.


If you found this useful or need help testing your Liferay for this or other vulnerabilities, drop a comment or check out Liferay’s Security Best Practices.

Timeline

Published on: 11/15/2022 02:15:00 UTC
Last modified on: 11/18/2022 16:02:00 UTC